Bypass Rate Limit via Bypass Captcha

Hello hackers
Today we'll talk about how to bypass rate limiting
via Bypass Captcha
This article will be brief, meaning that we will explain the rate limiting in detail and Bypass Captcha in a later lesson.

what is rate Limiting ?

what is captcha?

CSRF attacks, No Rate limit attacks, Brute Forcing , etc.

Let's talk today about my experience with captcha.I entered one of the hackerone programs Looking for bug .And when I went to the Create Account page, I found captcha, so I told myself that it must be here to prevent a rate limit attack from creating multiple accounts to see if the captcha value works or not.

Create account

1-I filled in the data then i intercept request using burp suite

2-i send request to repeater then go

3-I changed some values ​​in the captcha values then go

4-I went back to the email to find two messages to create an account. Do you know what this means?

Yes, friend, your sense of security works well.We have bypassed captcha protection (captcha value is fixed).
Therefore, it accepts any values ​​we enter. The important thing is that the captcha value should be 20 characters. We enter 20 characters regardless of who does the generate for captcha value.
In CSRF too is the same problem as CSRF value is fixed

5- I send request to intruder and clear values then select two value of captcha code.You can make payload list numbers from 10 to 99 .Or make payload type as numbers then make numbers from 10 to 99 step 1 as you like .

6-Start attack go back you email you will find it Fill with emails

POC :-

Don’t forget to follow me, I have more stories waiting for you, friend, to tell you

Bye

Security Researcher | Bug Bounty Hunter